Cyble Research & Intelligence Labs (CRIL) has shared new details about weekly industrial control systems (ICS) vulnerabilities. These vulnerabilities were issued by the Cybersecurity and Infrastructure Security Agency (CISA) from October 15 to October 21, 2024. The report outlines critical security concerns affecting various vendors and highlights the urgency for organizations to address these vulnerabilities promptly.
During the reporting period, CISA released seven security advisories targeting ICS, which collectively identified 13 distinct vulnerabilities across several companies, including Siemens, Schneider Electric, Elvaco, Mitsubishi Electric, HMS Networks, Kieback&Peter, and LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME. Notably, Elvaco disclosed four vulnerabilities, while Kieback&Peter reported three.
Among the highlighted vulnerabilities, particular attention is drawn to those affecting the Elvaco CMe3100 and Kieback&Peter DDC4000 Series. The Elvaco CMe3100 is a compact and intelligent communication gateway designed to remotely read energy meters. Cyble’s ODIN scanner has identified 1,186 instances of the CMe3100 exposed to the internet, with a large concentration of these devices in Sweden.
The Kieback&Peter DDC4000 Series comprises digital controllers utilized primarily in building automation systems for HVAC (heating, ventilation, and air conditioning) management. The scanner detected eight instances of these controllers that require urgent attention.
The vulnerabilities reported by Cyble Research & Intelligence Labs (CRIL) provide critical insights for organizations aiming to prioritize their patching efforts.
CVE-2024-3506: Among the key vulnerabilities identified, CVE-2024-3506 affects Siemens’ Siveillance Video Camera, with all versions prior to V13.2 vulnerable to a medium-severity classic buffer overflow, impacting physical access control systems and CCTV.
CVE-2023-8531: Schneider Electric’s Data Center Expert, specifically versions 8.1.1.3 and prior, is susceptible to CVE-2023-8531, which involves high-severity improper verification of cryptographic signatures, affecting control systems such as DCS, SCADA, and BMS.
CVE-2024-49396 and CVE-2024-49398: Elvaco’s CMe3100, version 1.12.1, is highlighted with multiple vulnerabilities, including CVE-2024-49396 for insufficiently protected credentials and CVE-2024-49398 for an unrestricted upload of files with dangerous types; both vulnerabilities are classified as high and critical respectively, posing risks to gateway and remote access systems.
CVE-2024-41717: Kieback&Peter’s DDC4002 and related versions are affected by CVE-2024-41717, which presents a critical path traversal vulnerability impacting field controllers and IoT devices.
CISA’s recent advisories reveal a predominance of such high-severity vulnerabilities within the ICS sector, highlighting the need for organizations to remain vigilant and implement effective mitigation strategies in response to these emerging threats.
Cyble emphasizes several key recommendations to enhance organizational cybersecurity:
The ISC vulnerability report highlights the pressing need for organizations to address the high-severity vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency.
With significant risks affecting major vendors like Siemens and Schneider Electric, it is crucial for businesses to adopt proactive measures, including patch management strategies and effective network segmentation.
By staying vigilant and responsive to these vulnerabilities, organizations can better protect their critical infrastructure and enhance their overall cybersecurity posture.